CVE-2022-24905
MEDIUMArgo CD < 2.1.15, 2.2.0-2.2.9, 2.3.0-2.3.4 - Login Error Message Spoofing via Crafted URL
Title source: llmDescription
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.
References (4)
Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/argoproj/argo-cd/releases/tag/v2.1.15
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/argoproj/argo-cd/releases/tag/v2.2.9
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/argoproj/argo-cd/releases/tag/v2.3.4
Third Party Advisory x_refsource_confirm
https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j
Scores
CVSS v3
4.3
EPSS
0.0119
EPSS Percentile
64.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (3)
argoproj/argo-cd
0 - 2.1.15Go
argoproj/argo-cd
2.3.0 - 2.3.4Go
argoproj/argo_cd
0.6.1 - 2.1.15
Published
May 20, 2022
Tracked Since
Feb 18, 2026